What is Fail2Ban

If you have no mechanism in place to deter these login attempts, your system is susceptible to bruteforce attack. Basically, a script/bot will keep on attempting SSH connection your system by trying various combination of username and passwords.

This is where a tool like Fail2Ban comes into picture. Fail2Ban is a free and open source software that helps in securing your Linux server against malicious logins. Fail2Ban will ban the IP (for a certain time) if there is a certain number of failed login attempts.

Fail2Ban works out of the box with the basic settings but it is extremely configurable as well. You can tweak it to your liking an create filters and rules as per your need.

Sounds interesting? Why not test Fail2Ban? Read and follow the rest of the article and try Fail2Ban yourself.

Installing Fail2Ban on Linux

You can guess the popularity of Fail2Ban from the fact that it is available in the official repositories of all the major Linux distributions. This makes installing Fail2Ban a simple task.

Install Fail2Ban on CentOS & Red Hat

You need to be root or sudo user in order to install new software on your system.

You need to make sure that your system is up to date and you have EPEL repository installed.

sudo yum update && sudo yum install epel-release

Now you can install Fail2Ban with the following command:

sudo yum install fail2ban

Install Fail2Ban on Ubuntu & Debian

First, make sure your system is updated:

sudo apt update && sudo apt upgrade -y

Now, install Fail2Ban with this command:

sudo apt install fail2ban

Understanding Fail2Ban configuration file

There are two main configuration files in Fail2Ban: /etc/fail2ban/fail2ban.conf and /etc/fail2ban/jail.conf. Let me explain what they do.

/etc/fail2ban/fail2ban.conf: This is the configuration file for the operational settings of the Fail2Ban daemon. Settings like loglevel, log file, socket and pid file is defined here.

/etc/fail2ban/jail.conf: This is where all the magic happens. This is the file where you can configure things like default ban time, number of reties before banning an IP, whitelisting IPs, mail sending information etc. Basically you control the behavior of Fail2Ban from this file.

Now before you go and change these files, Fail2Ban advise to make a copy with .local file for these conf files. It’s because the default conf files can be overwritten in updates and you’ll lose all your settings.

Now let’s understand the jail.conf file. If you use the less command to read this big file, it may seem quite confusing. The conf file tries to explain everything with way too many comments. So, let me simplify this for you.

The jail.conf file is divided into services. There is a [Default] section and it applies to all services. And then you can see various services with their respective settings (if any). All these services are in brackets. You’ll see sections like [sshd], [apache-auth], [squid] etc.

findtime: The window in which the action on an IP will be taken. Default is 10 minutes. Suppose a bad login was attempted by a certain IP at 10:30. If the same IP reaches the maximum number of retries before 10:40, it will be banned. Otherwise, the next failed attempt after 10:40 will be counted as first failed attempt.

maxretry: The number of failed retries before an action is taken

usedns: The “warn” setting attempts to use reverse-DNS to look up the hostname and ban it using hostname. Setting it to no will ban IPs, not hostname.

destemail: The email address to which the alerts will be sent (needs to be configured)

sender: The sender name in the notification email

mta: Mail Transfer Agent used for notification email

banaction: This parameter uses the /etc/fail2ban/action.d/iptables-multiport.conf file to set the action after maximum failed retries

protocol: The type of traffic that will be dropped after the ban

If you want to make any changes for any jail (or for all the jail), like the maximum retries, ban time, find time etc., you should edit the jal.local file.

How to use Fail2Ban to secure Linux server

Let me show you some of the ways you can use Fail2Ban to harden Linux security.

But if you check your Fail2Ban version, you probably are running the version 0.10.

fail2ban-server --version Fail2Ban v0.10.2Copyright (c) 2004-2008 Cyril Jaquier, 2008- Fail2Ban ContributorsCopyright of modifications held by their respective authors.Licensed under the GNU General Public License v2 (GPL).

In earlier versions, you could use a negative bantime (bantime = -1) and that would have been equivalent to a permanent ban but if you try this method, you’ll probably see an error like ‘Starting fail2ban: ERROR NOK: (‘database disk image is malformed’,)’.

One not so clean workaround would be to increase the bantime to something like 1 day, 1 week, 1 month or 1 year. This could circumvent the problem until the new version is available on your system.

How to unban IP blocked by Fail2Ban

First check if the IP is being blocked or not. Since Fail2Ban works on the iptables, you can look into the iptable to view the IPs being banned by your server: